Configuring the Switch
3-78
Client Security
This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are supported by this switch. These include
port-based authentication, which can be configured for network client access
by specifying a fixed set of MAC addresses. The addresses assigned to DHCP
clients can also be carefully controlled using static or dynamic bindings with the IP
Source Guard and DHCP Snooping commands.
This switch provides client security using the following options:
• Private VLANs – Provide port-based security and isolation between ports within the
assigned VLAN. (See “Configuring Private VLANs” on page 3-168.)
• 802.1X – Use IEEE 802.1X port authentication to control access to specific ports.
(See “Configuring 802.1X Port Authentication” on page 3-69.)
• Port Security – Configure secure addresses for individual ports.
• ACL - Access Control Lists provide packet filtering for IP frames (based on
• address, protocol, Layer 4 protocol port number or TCP control code) or any
• frames (based on MAC address or Ethernet type).
• IP Source Guard – Filters untrusted DHCP messages on unsecure ports by
building and maintaining a DHCP snooping binding table. (See “IP Source Guard”
on page 3-95.)
• DHCP Snooping – Filters IP traffic on unsecure ports for which the source address
cannot be identified via DHCP snooping nor static source bindings. (See “DHCP
Snooping” on page 3-88.)
Note:
The priority of execution for the filtering commands is Port Security, Access
Control Lists, IP Source Guard, and then DHCP Snooping.
Configuring Port Security
Port security is a feature that allows you to configure a switch port with one or more
device MAC addresses that are authorized to access the network through that port.
When port security is enabled on a port, the switch stops learning new MAC
addresses on the specified port when it has reached a configured maximum
number. Only incoming traffic with source addresses already stored in the dynamic
or static address table will be accepted as authorized to access the network through
that port. If a device with an unauthorized MAC address attempts to use the switch
port, the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.
To use port security, specify a maximum number of addresses to allow on the port
and then let the switch dynamically learn the <source MAC address, VLAN> pair for
frames received on the port. Note that you can also manually add secure addresses
to the port using the Static Address Table (page 10-1). When the port has reached
To Next Page
Loading...
Need help?
General